fix(common): prevent stored XSS in team member overflow tooltip (#5984)

2026-03-14 17:26:44 +05:30 · 2026-03-14 17:26:44 +05:30 · e418a51432
commit e418a51432
parent 0bb4824cfa
2 changed files with 12 additions and 3 deletions
--- a/packages/hoppscotch-common/assets/themes/tippy-themes.scss
+++ b/packages/hoppscotch-common/assets/themes/tippy-themes.scss
@ -64,6 +64,15 @@
    }
  }

+  // Override truncation for multiline member-list tooltips
+  .tippy-box[data-theme~="member-list"] {
+    .tippy-content {
+      @apply whitespace-pre-line;
+      @apply block;
+      @apply overflow-auto;
+    }
+  }
+
  .tippy-box[data-theme~="popover"] {
    @apply bg-popover;
    @apply border-solid;
--- a/packages/hoppscotch-common/src/components/teams/MemberStack.vue
+++ b/packages/hoppscotch-common/src/components/teams/MemberStack.vue
@ -15,7 +15,7 @@
    </div>
    <button
      v-if="props.showCount && props.teamMembers.length > maxMembersSoftLimit"
-      v-tippy="{ theme: 'tooltip', allowHTML: true }"
+      v-tippy="{ theme: 'tooltip member-list' }"
      :title="remainingSlicedMembers"
      class="text-[8px] z-10 inline-flex h-5 w-5 cursor-pointer items-center justify-center rounded-full bg-dividerDark text-secondaryDark ring-2 ring-primary focus:outline-none focus-visible:ring-2 focus-visible:ring-primaryDark"
      tabindex="0"
@ -73,9 +73,9 @@ const remainingSlicedMembers = computed(
      .slice(maxMembersSoftLimit)
      .slice(0, maxMembersHardLimit)
      .map((member) => getUserWithRole(member as TeamMember))
-      .join(`,<br>`) +
+      .join(",\n") +
    (props.teamMembers.length - (maxMembersSoftLimit + maxMembersHardLimit) > 0
-      ? `,<br>${t("team.more_members", {
+      ? `,\n${t("team.more_members", {
          count:
            props.teamMembers.length -
            (maxMembersSoftLimit + maxMembersHardLimit),